Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
566
Views
3
Helpful
2
Replies

Could not Configure PKI on Pix Device

dradhika
Cisco Employee
Cisco Employee

‎10-05-2006 03:44 PM

Hi,

I am trying to enable pki on a pix6.3 device , but could not do this because of some failure

Here is the error message that the system reports when I given ca authenticate.. command

CRYPTO_PKI: socket connect error.

CRYPTO_PKI: status = 0: failed to open http connection

CRYPTO_PKI: status = 65535: failed to send out the pki message

CRYPTO_PKI: transaction GetCACert completed

This is the cli that I am trying to configure

ca generate rsa key 512

ca identity cisco x.x.x.x:/certsrv/mscep/mscep.dll

ca configure cisco ca 2 11

ca authenticate cisco xxxxx

Can I know if someone know what is the actual problem and any solution for it?

Thanks,

Radhika

Labels:
0 Helpful
2 Replies 2

charan_jeetsingh
Level 1
Level 1

‎10-08-2006 06:40 PM

Ok, I'll take a shot at this..

The error says your PIX couldn't connect to the CA server... Make sure you're not blocking TCP traffic between the PIX & the CA. If traffic isn't blocked, is the CA setup?...

>ca identity cisco x.x.x.x:/certsrv/mscep/mscep.dll

Looks like this a Microsoft CA server, is that right? If so, have you already installed the appropriate "Certificate Services Add-on" for the OS?

For 2000 Server, this would be: "Certificate Services Add-on for Cisco Enrollment Protocol," from the 2000 Server Resource Kit.

For 2003 Server, it would be: "Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services," from the 2003 Resource Kit.

(See the Resource Kit help docs, search for "CEP" or "Cisco").

If this is an MS CA server, you need to include a challenge password. To get the server to issue a challenge password, browse to: http://yourCA/certsrv/mscep/mscep.dll

Then run:

ca enroll [CA_IP_address]

("" is the challenge string that the CA issued)

>ca configure cisco ca 2 11

You could also try changing this so the PIX will accept certificates even if the CRL isn't accessible:

ca configure cisco ca 2 11 crloptional

And of course, make sure your clock is accurately set, etc. If you haven't already, see the following docs for info on configuring the PIX for CA's:

Configuring IPSec and Certification Authorities: http://tinyurl.com/6fpxw

IPSec Between PIX & Cisco VPN Client Using Smartcard Certificates: http://tinyurl.com/ru9g

cheers

dradhika
Cisco Employee
Cisco Employee

‎08-15-2007 10:06 PM

http://www.cisco.com/networkers/nw00/pres/2405.pdf

0 Helpful
Customers Also Viewed These Support Documents